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The security proof of continuous variable (CV) measurement device independent (MDI) quantum 
key distribution (QKD) cannot be reduced to the analysis of one-mode Gaussian attacks (in partic¬ 
ular, independent entangling-cloner attacks). To stress this point, the present work provides a very 
simple (almost trivial) argument, showing that there are an infinite number of two-mode Gaussian 
attacks which cannot be reduced to or simulated by one-mode Gaussian attacks. This result fur¬ 
ther confirms that the security analysis of GV-MDI-QKD must involve a careful minimization over 
two-mode attacks as originally performed in [S. Pirandola et al., Nature Photon. 9, 397-402 (2015)]. 


I. INTRODUCTION 

Measurement-device-independent quantum key distri¬ 
bution MDI-QKD promises to be a remarkably ef¬ 
fective solution for the practical implementation of the 
next generation of QKD infrastructures, in which pri¬ 
vacy should be granted over a quantum network. In 
MDI-QKD the authorized users of the network, Alice and 
Bob, exploit a swapping-like protocol where secret cor¬ 
relations are established by the measurement of a third 
untrusted party, the relay [I|, Si- This performs a Bell 
measurement but, in order to achieve security, it is not 
required to pass a Bell test. By contrast, in full device 
independent QKD the privacy of the shared key 

depends on passing a Bell test, which is still an operation 
performed with very poor success rates The power 

of the MDI approach relies indeed on its practicality: 
One can achieve high-rate side-channel-free uncondition¬ 
ally secure network communication. 

In recent years the study of QKD protocols based on 
quantum continuous variables (CVs) m has attracted 
increasingly attention because of several appealing prop¬ 
erties of CV systems: Protocols use bright coherent 
states, and exploit standard telecommunication technolo¬ 
gies; in particular coherent detection techniques, already 
developed for classical optical communication [HI- In 
addition, CV-QKD is interesting for the relatively sim- 
ple implementation of protocols at different frequencies 
[iM Finally, exploiting CV point-to-point proto¬ 

col with state-of-the-art classical reconciliation and error 
correction schemes [T^-flsj] allowed the infield implemen¬ 
tation CV-QKD over a distance of 80 Km [l^ . 

In recent works s a [13 we proposed a CV-MDI- 
QKD protocol, which we have also successfully tested 
in a proof-of-principle experiment Q. In particular, we 
proved that our scheme is capable of remarkably high 
key-rates per use of the communication channel, over 
the length of metropolitan range distances. This per¬ 
formance is orders of magnitude higher than compar ably 
practical implementations based on discrete variable . 
We therefore believe that CV-QKD will play a crucial 
role in future implementation of metropolitan quantum 
cryptography. At this scale, in fact, both high density 
of untrusted nodes and high rates should be considered 


nonnegotiable properties, if we want a quantum network 
able of competing with present classical infrastructure. 

In this work we provide additional evidences sup¬ 
porting the security analysis of CV-MDI-QKD given 
in Refs. S i- We show, by simple arguments, that 
the security analysis restricted to one-mode Gaussian 
(entangling-cloner) attacks can only account for a sub¬ 
class of all possible eavesdroppings. In particular we pro¬ 
vide a counterexample in order to explicitly prove that, 
if we model Eve’s attack assuming a restricted strategy, 
based on independent entangling doners, one cannot gen¬ 
erate all the possible covariance matrices shared between 
Alice and Bob. Our analysis confirms that a complete se¬ 
curity analysis of CV-MDI-QKD cannot indeed avoid to 
consider two-mode Gaussian attacks, as originally done 

in Refs. [ 1 , 0 - 

The structure of the paper is the following. In Sec¬ 
tion m we present the protocol. Section Ell gives general 
consideration about the security analysis, marking the 
difference between theoretical and experimental analy¬ 
ses. Section HVl provides a simple counter example to the 
(wrong) assumption that an attack by independent en¬ 
tangling doners would be complete. Finally, Sec.|V]is for 
our conclusions. 


II. DESCRIPTION OF THE PROTOCOL 

We start with a brief description of the protocol Q • At 
one side, Alice prepares a mode A in a coherent state |a) 
whose amplitude a is modulated by a Gaussian distri¬ 
bution with zero mean and large variance. At the other 
side. Bob prepares his mode B in another coherent state 
1/3) whose amplitude /3 is modulated by the same Gaus¬ 
sian distribution as Alice. Modes A and B are then sent 
to an intermediate relay where a CV Bell detection is 
performed. The classical outcomes are combined in a 
complex variable 7 , which is communicated to Alice and 
Bob via a public channel. As a result, knowledge of 7 en¬ 
ables each party to infer the variable of the other party 
by simple postprocessing (see Fig. [T]). 

In general, the relay is assumed to be untrusted [3, 
i.e., operated by Eve, and also the links with the relay 
are subject to eavesdropping. The protocol is assumed 
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FIG. 1: Basic protocol of CV-MDI-QKD 


and re-scaling of the output data. Then, from the second- 
order moments of p(a,/3,7), Alice and Bob can extract 
the CM that they would share in an equivalent 

entanglement-based representation of the protocol 
and conditioned to the outcome 7 of the Bell detection at 
the relay (see Ref. Q for more details). From this shared 
post-relay CM, they can derive the secret-key rate of the 
protocol. 


to be performed many times, so that the honest par¬ 
ties collect a large amount of classical data (we consider 
asymptotic security here). Using several tools, includ¬ 
ing de Finetti arguments and the extremality of Gaus¬ 
sian states (see Ref. Q for more details), one can reduce 
the security analysis to considering a two-mode Gaus¬ 
sian attack against the two links with the relay (per¬ 
forming a proper GV Bell detection). This type of attack 
can be constructed by suitably combining two canonical 
forms M into a correlated-noise Gaussian environment. 
The most relevant canonical forms are clearly the lossy 
channels. 

In this scenario, the two modes A and B are mixed 
with two ancillary modes, Ei and E2, by two beam split¬ 
ters with transmissivities ta and tb, respectively. These 
ancillary modes belong to a reservoir of ancillas {Ei , E2 
plus an extra set e) in a pure Gaussian state. The re¬ 
duced state aEiE2 is a correlated thermal state with zero 
mean and covariance matrix (CM) in the normal form 



where uja , wb > 1 are the variances of the thermal noise 
affecting each link, while g and g' are correlation pa¬ 
rameters, satisfying suitable physical constraints (^1^. 
After interaction. Eve’s ancillas are stored in a quantum 
memory, measured at the end of the protocol (see Fig. [21). 
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FIG. 2: Two-mode Gaussian attack against CV-MDI-QKD. 
Figure adapted from Ref. Q]. 

In order to deal with the joint attack, Alice and Bob 
must retrieve the joint statistics of the variables a, / 3 , and 
7. For this purpose, they publicly compare a small part 
of their data and reconstruct the probability distribution 
p{a,P,j). The empirical values of the transmissivities 
Ta and tb are accessible to the parties from the first- 
order moments of p(a,/3,7). Knowing these values is 
essential in order to apply the correct post-processing 


III. GENERAL CONSIDERATIONS ON THE 
SECURITY ANALYSIS 

It is important to note that, once the shared CM V£jf,|.y 
is reconstructed by Alice and Bob, the secret-key rate 
can be (numerically) computed no matter what the ac¬ 
tual eavesdropping strategy was. In fact, it is sufficient 
to consider the purification of the state Pab\-y into an envi¬ 
ronment which is assumed to be fully controlled by Eve. 
This is a pretty standard method in CV-QKD. 

However, while this approach is valid for experimental 
demonstrations, it is generally not sufficient for deriving 
analytic expressions of the key rate R, just because there 
are too many free parameters in the CM. Having simple 
analytic expressions is crucial in order to theoretically 
compare the performances of different QKD protocols. 
The next theoretical step is therefore the reduction of 
the free parameters to a minimum set which is accessible 
to the parties and that allows us to write a closed formula 
for R (or a lower-bound to R). 

It is typical to derive a single quantifier of the noise, 
the so-called ‘excess noise’ e, to be associated to the ob¬ 
served values of the transmissivities ta and tb ■ Such a re¬ 
duction is the non-trivial part of the theoretical analysis 
since it requires a minimization of the rate with respect 
to all degrees of freedom of Eve, once that the triplet ta, 
Tb, and e has been fixed. One important pre-requisite 
for such a reduction is the correct modelling of the most 
general attack that Eve can perform against the proto¬ 
col. The entire “space of the attacks” must be covered in 
this analysis. As pointed out in Ref. Q, CV-MDI-QKD 
requires the explicit consideration of all two-mode Gaus¬ 
sian attacks, not just one-mode Gaussian attacks, where 
g = g' — 0 . The latter class is in fact restricted and can 
only lead to partial security proofs. 


IV. SIMPLE COUNTER-EXAMPLE TO 
ONE-MODE ATTACKS 

Here we easily show that one-mode Gaussian attacks 
represent a restricted class and, therefore, any security 
proof of CV-MDI-QKD based on these attacks can only 
be partial. Furthermore, since they form a restricted 
class, it does not make sense to claim their optimality. 

For the sake of simplicity, consider the symmetric con¬ 
figuration U, where Alice’s and Bob’s channels are iden¬ 
tical lossy channels, with the same transmissivity r. Ex- 
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tension to asymmetric configurations is just a matter of 
technicalities. After the action of the relay, the shared 
CM of Alice and Bob is simply given by Q 




where 
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6 2 [r/r + (1 — t)x] , 6' := 2 [rfi + (1 — t)x'\ . (3) 


with 


X = 


UJa + <^B 


9, X = 


UJA + UJb 


9 


( 4 ) 


In the previous CM, the modulation parameter ^ is 
known to Alice and Bob, and also the transmissivity r 
which is derived by comparing the shared data and com¬ 
puting the first-order moments. By contrast, Alice and 
Bob do not directly access the values of the thermal noise 
and the correlation parameters, since they are combined 
in the x-parameters of Eq. The fact that the pa¬ 
rameters UJA, i^B, 9 and g' get scrambled in x and x' has 
led some authors to claim that one-mode attacks 
{9 — 9 ' = 0) with suitable values of the thermal noise 
{ujA and ujb) could simulate any two-mode attack with 
arbitrary uja, ^b, 9, and g'. However, it is quite trivial 
to check that this is not the case. 

To understand this point, it is important to note that 
the components of the CM are monotonic in x and 
x'. As an example, the top-left component 


One may attempt to enlarge the set of one-mode at¬ 
tacks by allowing for squeezed thermal noise, i.e., the use 



FIG. 3: Correlation parameter g versus thermal noise uj. For 
any value of w, two-mode attacks with 0 < g < uj — 1 are 
performed with separable ancillas, while two-mode attacks 
satisfying the stronger condition of Eq. have entangled 
ancillas and cannot be simulated by one-mode attacks. Values 
of g above ^/uj^ — 1 are prohibited by quantum mechanics. 


of thermal states with asymmetric variances, uj\ for the 
q-quadrature and for the p-quadrature (and similarly, 
uJq and Wg, for the other ancilla). In this case, Eq. (|4]) 
for one-mode attacks would become 
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( 5 ) 


is increasing in x, so that Vn is minimum when x is 
minimum. In the case of one-mode attacks {g = g' = 0), 
we have x > 1. It is therefore clear that any two-mode 
attack such that x < 1 cannot be simulated by one-mode 
attacks. Indeed there is an infinite number of such two¬ 
mode attacks. In fact, let us assume that Eve performs 
a two-mode attack with uja = ujb = uj and g' = —g. In 
this case, we have x = x' = uj — g, and the condition 
a: < I corresponds to imposing 


00 — 1 < g < \J— (6) 


which are attacks where Eve’s ancillas are entangled. 

Thus, for any value of w, we can pick an entangled 
two-mode attack which cannot be simulated by one-mode 
attacks. In other words, this entangled attack generates 
a shared CM which does not belong to the set 

of possible CMs associated with one-mode attacks. As 
depicted in Fig.|3l there is an infinite number of entangled 
attacks which cannot be reduced to one-mode attacks. 


However, since uji\uj\ > 1 and ujgUj^ > 1, it is easy to 
check that realizing x < 1 would imply x' > 1, and vice 
versa. As a result, there will always be components in 
the shared CM whose values, for entangled attacks, 
cannot be realized by assuming one-mode attacks. 


V. CONCLUSION 


We have considered the security analysis of CV-MDI- 
QKD. We have explicitly shown that one-mode Gaussian 
(entangling-cloner) attacks represent a restricted class, 
which cannot generate all the possible shared CMs for 
Alice and Bob. This is true for any fixed value of the 
transmissivity r for the two lossy channels (extension to 
different transmissivities ta and tb is trivial). This very 
simple result confirms the necessity of explicitly studying 
two-mode Gaussian attacks in the security anaWsis of 
CV-MDI-QKD, as originally considered in Ref. [J. 
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